Updated: Jul 13, 2020
Splunk is the search engine for your application logs and can be use for analyzing, troubleshooting, reporting, monitoring and security for your application. Splunk work as the central repository for the logs coming from servers throughout the network. It can generate the statistical and graphical view for your logs in real time monitoring. It allows you to envisage your logs in the form of various dashboards.
Splunk Enterprise Features
Index:Source data from website,applications, databases etc.Also index the data in to Splunk
Search:Enable search features which can be used to find out relevant data through applying different queries.
Alerts: Enable us to set alerts whenever a particular condition is breached, and send notifications via emails and execute scripts to take corrective measures.
Dashboards:Way to visualize data to know what's happening in the infrastructure data.
Pivot:Maps attributes to a table, chart or data visualization.Can be saved as report and added to dashboards
Reports: Enable us to fetch data reports which can be used for may be trend analysis.
Splunk Enterprise Components
Forwarder:Collects and forwards data to an indexer.Its really light weight on resources so can be installed on as many servers as possible.
Indexer:Indexes data received from a forwarder.Searches indexed data when requested by a search head.
Search head:Interacts with users by directing search requests to indexer.Merge search results when directing multiple indexers.
Splunk Installation on CentOS 7
Now we are going to see how to install Splunk on Centos 7 ( 64 bit) machine.
Our server is having 4 GB RAM and 2 CPU.
We will use 3 machines
192.168.1.11 node1 ## Splunk Server
192.168.1.12 node2 ## Splunk Client
192.168.1.13 node3 ## Splunk Client
Go to the link https://www.splunk.com/page/sign_up and create an account on Splunk s that we can download a free trial version of Splunk enterprise.
Once the account is ready, download the RPM for Linux from https://www.splunk.com/en_us/download/splunk-enterprise.html#tabs/linux
Copy the RPM to node1 using winSCP in /opt
Install the RPM
5. Now once the splunk is installed, we are going to accept the license and create admin user
[root@node1 local]# /opt/splunk/bin/splunk enable boot-start --accept-license
6. Configure splunk to start on boot
[root@node1 local]# systemctl start splunk [root@node1 local]# systemctl enable splunk [root@node1 local]# systemctl status splunk
7. Login to the console with http://server_ip:8000 using the admin credentials.
Congratulations !! We have just deployed splunk enterprise on the CentOS server. In the next article, we will learn more about it and move further in our journey to Splunk expertise.